BotIntelli — SSO Configuration User Guide
This guide explains SSO Configuration: how to set up and test an OIDC-based SSO provider for your organization (Enterprise plan).
What Is SSO Configuration?
SSO (Single Sign-On) Configuration lets organization admins connect BotIntelli to an identity provider (e.g. Okta, Azure AD) using OIDC. Once configured, members can sign in with their corporate credentials instead of (or in addition to) email/password. This is typically an Enterprise feature.
Where to Find It
- Sidebar: Security & Compliance → SSO Configuration.
- URL:
https://app.botintelli.com/dashboard?view=rbac-ssoorhttps://app.botintelli.com/settings/security/sso.
Complete User Journey
Step 1: Open SSO Configuration
- Plan: You must be on an Enterprise plan; otherwise the page may show a plan gate or upgrade message.
- You see a form with fields for the OIDC provider and optional Test connection.
Step 2: Enter Provider Details
- Client ID — From your IdP (e.g. Okta/Azure AD application). Required.
- Client Secret — Secret for the same application. Keep it confidential.
- Discovery URL — OIDC discovery endpoint (e.g.
https://your-idp.com/.well-known/openid-configuration). Required. - Scopes — Comma-separated scopes (default often
openid,email,profile). Add others (e.g.groups) if needed for role mapping. - Role mapping — Optional. Map IdP attributes to BotIntelli roles, one per line, e.g.
admin:admin,group_sales:editor. Format depends on the app (e.g.key:valueper line).
Step 3: Save Configuration
- Click Save. The app stores the config (client secret is stored securely). If validation fails, fix the fields as indicated and save again.
Step 4: Test Connection (When Available)
- Click Test connection (or “Test SSO”). The app checks discovery URL, client ID/secret, and optionally performs a test login. You see success or an error message (e.g. invalid discovery URL, wrong client ID). Fix config and test again until it passes.
Step 5: Roll Out to Users
- After a successful test, inform users they can sign in with SSO (e.g. “Sign in with Company SSO” on the login page). Exact behavior (SSO-only vs optional) depends on your IdP and app settings.
Input Fields
| Field | What to enter |
|---|---|
| Client ID | OIDC client ID from your IdP application. |
| Client Secret | OIDC client secret from the same application. |
| Discovery URL | Full URL to .well-known/openid-configuration. |
| Scopes | Comma-separated, e.g. openid,email,profile or openid,email,profile,groups. |
| Role mapping | Lines of role_key:BotIntelli_role (e.g. admin:admin). |
Tips and Troubleshooting
- Test fails — discovery: Ensure the discovery URL is reachable and returns valid OIDC metadata.
- Test fails — client: Verify client ID and secret; ensure redirect URI in the IdP matches what BotIntelli expects (check in-app or docs).
- Users can’t sign in with SSO: Confirm SSO is enabled and that role mapping (if used) matches your IdP’s claims.
Quick Reference
| Goal | Action |
|---|---|
| Set up SSO | Enter Client ID, Client Secret, Discovery URL, Scopes, optional Role mapping → Save. |
| Check SSO | Test connection and fix any errors. |
For MFA and sessions, see Security. For security event history, see Audit Logs.